|
Jorey Bump
list at joreybump.com
Wed Dec 29 11:20:56 EST 2004
John Ward wrote:
> 1. With mod_python, do I no longer have to worry about limiting the path
> available to the script? (I do my best to maintain an appropriate level
> of paranoia, so one thing I'd like to learn is what security mod_python
> handles for me and what security I need to write into my scripts.)
Frankly, I'd leave the path alone. Depending on your environment, it
could affect other users or applications. For example, if I set the
environment path using mod_python in a virtual host, it also changes the
path for perl CGI scripts, where the correct path is more likely to
matter. It may seem fine in an environment you control, but makes your
application less portable. If you must use popen, set up a variable that
contains the complete path to your binary, and change that when you
deploy it somewhere else. With that said, your mod_python applications
will have the same rights as the apache user, so plan accordingly.
For mod_python newbies, here's a simple module to show your path, using
the publisher handler:
# path.py
import os
def show(req):
# uncomment to set path
# os.environ['PATH'] = '/usr/bin:/bin'
return os.environ['PATH']
Access it via http://host/path.py/show
> 2. How do mod_python programmers typically handle sanitizing form input?
For me, this depends on the intended use of the data, and also partly on
the version of python. For simple validation, I might turn the input
into a list and check the members for illegal characters. The sets
module introduced in python 2.3 is now a built-in in 2.4, making this a
trivial task. But if your application might run under older versions of
python, you'll have to use something a bit more universal.
For database input, I use placeholders, somewhere along these lines:
query = """INSERT INTO users ( name, quest ) VALUES ( %s, %s )"""
cursor = dbh.cursor()
cursor.execute(query, (req.formdata['name'], req.formdata['quest']))
Note that this is *not* typical python string replacement. This
construct allows you to send any VALUE string to the database, with
necessary escapes inserted behind the scenes. It's very handy. You are
encouraged to find out more about python and placeholders for your db
and test it on your platform (I found a lot of misleading info, but the
form above works best for me when using MySQLdb).
> 3. Assuming one has an SMTP server listening on localhost, what is the
> recommended way to add messages to the mail queue?
I prefer smtplib because it's portable, powerful, and offers excellent
error handling. Of course, if you want the message queued instead of
sent immediately, you'll need to configure your SMTP daemon to do so.
You could do this for the MSA on port 587 to avoid running a separate
instance.
> 4. When writing CGI scripts in Perl using CGI.pm, one has the option of
> limiting the size of POSTs by setting a value for the '$MAX_POST'
> variable. Is there a way to do this using mod_python? Or is this even
> something I need to worry about?
I haven't run into a need for this, but I do have some textarea form
inputs that I'm concerned about, so I'd be interested if this is
possible, as well.
|